VNET 地址 space 是否可以用于 NSG 源地址前缀?
Can a VNET address space be used for NSG source address prefix?
我想允许来自所有本地子网(不包括对等子网)的流量通过 NSG。由于我只有一个地址space,最直接的方法似乎是使用VNET的address_space作为安全规则的source_address_prefix。
resource "azurerm_resource_group" "west01-rg" {
name = "west01-rg"
location = "West US"
}
resource "azurerm_virtual_network" "virtual-network" {
name = "west01-vnet"
location = "${azurerm_resource_group.west01-rg.location}"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
address_space = ["10.10.20.0/21"]
}
resource "azurerm_subnet" "servers-subnet" {
name = "ServersNet"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
virtual_network_name = "${azurerm_virtual_network.virtual-network.name}"
address_prefix = "10.10.20.0/24"
}
resource "azurerm_network_security_group" "dc-nsg" {
name = "dc-nsg"
location = "${azurerm_resource_group.west01-rg.location}"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
security_rule {
name = "AllowCidrSubnet"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "${azurerm_virtual_network.virtual-network.address_space}"
destination_address_prefix = "*"
}
tags {
environment = "Testing"
}
}
根据文档,此值可以采用 CIDR 表示法。但是,我上面的示例导致错误
Error: azurerm_network_security_group.dc: security_rule.0.source_address_prefix must be a single value, not a list
如果我切换到 source_address_prefixes,它应该接受一个列表,我得到这个错误
Error: azurerm_network_security_group.dcx: security_rule.0.source_address_prefixes: should be a list
所以看起来值既是一个列表又不是一个列表。这应该工作吗?还是我应该换一种方式?
- Terraform v0.11.11
- provider.azurerm v1.21.0
在 Terraform pre 0.12 中,默认情况下每个变量都是字符串类型,如果您想使用列表或地图类型,则必须在传递变量时始终使用该类型。这应该在 Terraform 0.12 中改变,因为 HCL2 更好地支持类型,包括更多 complex type handling.
要解决您的问题,您需要将列表索引到 return 单个元素,然后将是一个字符串,或者您需要与您的列表类型保持一致。
所以这些都应该有效:
resource "azurerm_network_security_group" "dc-nsg" {
name = "dc-nsg"
location = "${azurerm_resource_group.west01-rg.location}"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
security_rule {
name = "AllowCidrSubnet"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "${azurerm_virtual_network.virtual-network.address_space[0]}"
destination_address_prefix = "*"
}
tags {
environment = "Testing"
}
}
或直接使用列表:
resource "azurerm_network_security_group" "dc-nsg" {
name = "dc-nsg"
location = "${azurerm_resource_group.west01-rg.location}"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
security_rule {
name = "AllowCidrSubnet"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefixes = ["${azurerm_virtual_network.virtual-network.address_space}"]
destination_address_prefix = "*"
}
tags {
environment = "Testing"
}
}
我想允许来自所有本地子网(不包括对等子网)的流量通过 NSG。由于我只有一个地址space,最直接的方法似乎是使用VNET的address_space作为安全规则的source_address_prefix。
resource "azurerm_resource_group" "west01-rg" {
name = "west01-rg"
location = "West US"
}
resource "azurerm_virtual_network" "virtual-network" {
name = "west01-vnet"
location = "${azurerm_resource_group.west01-rg.location}"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
address_space = ["10.10.20.0/21"]
}
resource "azurerm_subnet" "servers-subnet" {
name = "ServersNet"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
virtual_network_name = "${azurerm_virtual_network.virtual-network.name}"
address_prefix = "10.10.20.0/24"
}
resource "azurerm_network_security_group" "dc-nsg" {
name = "dc-nsg"
location = "${azurerm_resource_group.west01-rg.location}"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
security_rule {
name = "AllowCidrSubnet"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "${azurerm_virtual_network.virtual-network.address_space}"
destination_address_prefix = "*"
}
tags {
environment = "Testing"
}
}
根据文档,此值可以采用 CIDR 表示法。但是,我上面的示例导致错误
Error: azurerm_network_security_group.dc: security_rule.0.source_address_prefix must be a single value, not a list
如果我切换到 source_address_prefixes,它应该接受一个列表,我得到这个错误
Error: azurerm_network_security_group.dcx: security_rule.0.source_address_prefixes: should be a list
所以看起来值既是一个列表又不是一个列表。这应该工作吗?还是我应该换一种方式?
- Terraform v0.11.11
- provider.azurerm v1.21.0
在 Terraform pre 0.12 中,默认情况下每个变量都是字符串类型,如果您想使用列表或地图类型,则必须在传递变量时始终使用该类型。这应该在 Terraform 0.12 中改变,因为 HCL2 更好地支持类型,包括更多 complex type handling.
要解决您的问题,您需要将列表索引到 return 单个元素,然后将是一个字符串,或者您需要与您的列表类型保持一致。
所以这些都应该有效:
resource "azurerm_network_security_group" "dc-nsg" {
name = "dc-nsg"
location = "${azurerm_resource_group.west01-rg.location}"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
security_rule {
name = "AllowCidrSubnet"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "${azurerm_virtual_network.virtual-network.address_space[0]}"
destination_address_prefix = "*"
}
tags {
environment = "Testing"
}
}
或直接使用列表:
resource "azurerm_network_security_group" "dc-nsg" {
name = "dc-nsg"
location = "${azurerm_resource_group.west01-rg.location}"
resource_group_name = "${azurerm_resource_group.west01-rg.name}"
security_rule {
name = "AllowCidrSubnet"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefixes = ["${azurerm_virtual_network.virtual-network.address_space}"]
destination_address_prefix = "*"
}
tags {
environment = "Testing"
}
}